Son of a Breach: The Most Notorious Criminal Enterprise on the Dark Web

Omni Hotels & Resorts, Jason's Deli, Chipotle, Saks Fifth Avenue, and Lord & Taylor all have something unfortunate in common: They've all been victimized by a highly organized and professional data-hacking organization known as Fin7.

"Fin7 is a large and extremely well-organized group of developers of malware used in numerous cyber attacks against retailers as well as financial institutions," says Steven J.J. Weisman, a data security expert who teaches about white-collar crime at Bentley University in Waltham, MA.

Waltham says the group is widely known to use spear phishing emails containing malware and point of sale malware installations to crack into a company's data network, and make off with valuable customer data. "This model continues to plague businesses and governments around the world."

Not Shy About the Spotlight

Fin7 is responsible for some of the most highly-publicized cyber attacks in the past few years, according to multiple reports. The rouge group even operates its own website on the dark web—Joker's Stash—where they sell the credit cards, Social Security numbers and other stolen data from their cyber attacks.

The Saks Fifth Avenue data breach, which resulted in the heist of five million customer credit card and debit card account numbers, immediately resulted in the organization's sale of 125,000 user accounts on the dark web, only days after the breach was revealed. The name the hackers used to hawk their stolen cyber-accounts would've made Tony Soprano proud: BIGBADABOOM-2.

Joker's Stash uses a business model similar to that of legitimate websites in that it provides customer service, discounts to repeat and large customers and even a return policy.

"They are incredibly organized with malware developers constantly improving their products, and are adept at money laundering," Weisman says. "They are incredibly profitable with estimates of at least $50 million dollars of illegal sales occurring each month. They will perform one of their numerous hacks and then sell the stolen credit cards and other data on their own website."

Dmitry Chorine, cofounder of Gemini Advisory, a threat intelligence company, estimates the group has around $1 billion stashed away after multiple years of stealing corporate data, and selling that data on the black market or dark web.

"They're connected to almost every major point of sale breach," he says. "From what we've learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let's not forget they have the financial means to stay hidden."

It's highly unlikely we'll ever know for sure how much Fin7 has made in ill-begotten gains over the years. What is clear is that these hackers know what they're doing, and global law enforcement authorities are struggling to bring the group to justice. Data security specialists agree with the notion that Fin7 is hard to pin down—but there are clues to their identity.

"They are likely a large group of loosely-associated but well-organized people, likely based in Russia or of a Russian-speaking context," says Michela Menting, research director at ABI Research, who says the group, or some version of it, has been around for quite some time, and is notorious in the cybercriminal space.

"They are capable, if not highly advanced, and are persistent," Menting notes. "They function much like any normal business entity; as such, likely have had some turnover, and some spin-offs. This makes it more difficult to pin down exact members."

Target-wise, Fin7 is known for favoring the low-hanging fruit, she adds. "Security awareness and risk management is certainly better today than it was a decade ago. That said, there are more than enough shoddy security implementations that Fin7 doesn't have to use highly sophisticated or complex attacks to obtain access to sensitive/confidential data."

Getting Away With It

How can Fin7 seemingly get away scot free from raiding the data accounts of some of the biggest business brands in the world?

"Organized web mobs function worldwide in numerous jurisdictions and make it difficult for governments to indict them," says Robert Siciliano, a data security expert at IDTheftSecurity.com. "It's likely there are 20-to-100-plus participants in the scheme."

While there are international laws and mandates regarding cybercrime, including the Council of Europe Convention on Cybercrime and law enforcement cooperation like Interpol and Europol, too many countries simply refuse to cooperate on cyber-crime cases, Russia and China most notably.

"Furthermore, they and other countries in Latin America, Asia-Pacific and Africa, may lack extradition treaties with European and North American countries," Menting says. "Often cybercriminals will sit in these ‘haven' countries and attack businesses and people in other countries where they know they won't be extradited to."

Additionally, there are many tools that can be used to steer cybercriminals into the shadows, like virtual private networks and encryption, so it is not a simple matter to track them down, he adds.

Still, "no one is immune" to the long arm of international law, Siciliano says. "Busting these groups takes a significant coordinated effort among governments. It's really just a matter of time until they fall."

Take Aggressive Steps Against Data Hackers

For starters, expect data breach attempts to occur and be ready to deal with them. Then, over the long-term, make data security a top business priority.

"Data piracy is an inevitability, and companies must be more proactive in safeguarding their customers' personal and financial information," says Jonas Sickler, marketing director at ReputationManagement.com. "Companies that don't prioritize data security run the risk of immense financial expenses related to fines, lawsuits, and loss of business through eroded customer trust."

"The ‘it won't happen to us' mentality is what emboldens hackers to continue making money through data theft," says Sickler. "It's not much different than criminals stealing money from unlocked cars. If everyone does a better job of locking their doors, the rate of theft will significantly decline."

Our Editorial Policies: The information contained in Ask Experian is for educational purposes only and is not legal advice. Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.

While maintained for your information, archived posts may not reflect current Experian policy. The Ask Experian team cannot respond to each question individually. However, if your question is of interest to a wide audience of consumers, the Experian team will include it in a future post.

Advertiser Disclosure: The credit card offers that appear on this site are from third party companies ("our partners") from which Experian Consumer Services receives compensation, however, the compensation does not impact how or where the products appear on this site. The offers on the site do not represent all available financial services, companies, or products.

Credit scores are used to represent the creditworthiness of a person and may be one indicator to the credit type you are eligible for. However, credit score alone does not guarantee or imply approval for any offer.

For complete information, see the terms and conditions on the credit card issuer’s website. Once you click apply for this card, you will be directed to the issuer’s website where you may review the terms and conditions of the card before applying. We show a summary to help you choose a product, not the full legal terms – and before applying you should understand the full terms of the product as stated by the issuer itself. While Experian Consumer Services uses reasonable efforts to present the most accurate information, all offer information is presented without warranty.